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ERP Implementations and its Major Challenges 
in Auditing Security Issues for SME 


ABSTRACT 


Enterprise Resource planning was a term restricted purely to elite class. This scene was 
witnessed in the IT market for some long time ever since ERP was introduced. The large 
organizations went ahead with ERP process unmindful of negative consequences, not to 
forget mentioning the fact that they took every proactive measure to curb the same. 
Needles to say firms were interested in serving such large players. So the fate of Small 
and Medium enterprises remained unanswered. ERP for S.M.E's (Small and Medium 
Enterprises) remained a mere dream. Enterprise Resource planning helps S.M.E.'s to 
enjoy unimaginable benefits. Nevertheless the problems of ERP in S.M.E.'s remain 
unsolved. There are still ups and downs in it. There are some problems for S.M.E.'s in the 
ERP market .They are not only from the addressed in the company's perspective but also 
in the vendor's perspective. 


The troubles faced by S.M.E.'s with regards to ERP is quiet understandable. However 
they can be rectified. Even if they are not taken out totally there is always a scope for 
making things better and making ERP's more user friendly for Small and Medium 
Enterprises. The vendor's primary concern should be solving ERP problems in S.M.E.'s. 
This is emphasized because ERP problems in Small and medium enterprises are many. 
However in this paper we extensively studied major implementation challenges and 
security issues pertaining to the implementation of ERP in various SME’s. 


INTRODUCTION 


Enterprise Resource Planning (ERP) for small business calls for voluminous investments. 
The amount was fairly affordable to small business entities. There is no doubt or two say 
about its benefits. But the question that kept ringing in the market was can everyone 
afford it. The answer was a stubborn no initially but not anymore. ERP outsourcing, 
Open Source ERP's and ERP applications designed for S.M.E.'s (Small and medium 
Enterprises) have successfully overcome the above said limitations. 


Enterprise Resource Planning (ERP) is an enterprise-wide information system designed 
to coordinate all the resources, information, and activities needed to complete business 
processes such as order fulfillment or billing. Many firms rely on ERP systems to 
implement business processes and integrate financial data across their value chains. This 
reliance increases the importance of ERP system security in protection of a firm's 
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information assets. In recent years, the audit of ERP security has gained importance and 
begun receiving an increasing percentage of firms' audit budgets. However, the audit of 
ERP security remains a complex, lengthy and costly task due to a confluence of factors. 


DEMOGRAPHIC PRESENCE OF SME's 


A total of 358 SMEs were contacted for the study. The demographic characteristics of the 
respondents were shown in Figure-1. We can find that as many as 39.4 per cent of SMEs 
were Sole Proprietorship, 10.9 per cent belongs to partnership and 49.7 per cent were 
companies. Majority of the respondents i.e. about 72.6 percent belongs to family business 
and 27.4 per cent of respondents belong to non-family business. If we industry area, out 
of total samples 12.60 percent belongs to City, 0.8 percent of respondents belongs to 
village area and 86.6 per cent belongs to village area. So the following factors influenced 
to implement the ERP systems in SME’s. 


STABILIZATION OF ERP IN S.M.E.s 


SO they had to naturally look for greener and fresher pastures. S.M.E.'S was the only 
answer. The next question was how to provide best services at an affordable cost and still 
make profit. In this case the vendors had to be worried only about the number of sales 
they could make and not the quantum of profits because the number of vendors was few 
and far between when compared with the number of S.M.E.'S choosing to go for ERP. As 
the saying goes "necessity is the mother of Invention" vendors had to devise cost 
effective applications to meet the demands of the Small and Medium enterprises. This 
was the origin of ERP for S.M.E.'S. This benefited them in terms of business .On the 
other hand the firms enjoyed greater benefits by making use of this application. Hence 
ERP and S.M.E. was weighed on the same scale. Figure 1 shows the Portfolio Options 
for implementing ERP systems in enterprises. 


IMPLEMENTATION PROBLEMS OF ERP IN S.M.E.'S 
A. Cost 


The small size of the companies proves to be another challenge to the vendor. Since there 
are too many S.M.E.'s in the market they demand a very low price from the vendor. It 
becomes practically impossible for the vendor to offer at such quotations as he would not 
even be guaranteed of a return in the costs. Small business erp is not expensive software 
but still requires lot of work. 


Another issue is that there are a large number of companies in the segments and the 
vendors are few in numbers. Hence the former is able to exercise a considerable influence 
over the later. This issue also makes things difficult for the company. At times they have 
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to comprise on quality due to unfair demands. There has been no full stop to this as the 
companies have failed to change their attitude in this regard. 


The companies can definitely claim cost advantages due to the competition .But if they 
are bound to be unreasonable they cannot expect the vendor to deliver the best. They 
need to keep in mind that the vendors have come a long way after exploring their 
segment which was untouched for quiet a long time. The companies are not able to avail 
the best business ERP small software due to these difficulties. 


B. Choice 


Companies have to exercise adequate care in choosing their ERP vendor and Small 
business ERP Software. This is a big dilemma for companies because they are unsure of 
choosing software offered by a branded player or a small player. That really makes no 
difference as long as the software and vendor suits all the requirements. Some companies 
debate that only a branded player can satisfy the requirements even though the recipient 
is a small concern. While the other argues that only small vendors are flexible when it 
comes to customizations. Each argument has its own merits and demerits. However 
companies tend to select the wrong option on the basis of these prejudices. As said earlier 
the companies need to take care of their requirements as the first priority before deciding 
on the software or vendor. 


Cc. Customization 


The bigger players have a trouble when it comes to offering solutions for S.M.E.'S. The 
level of customization and the work demanded by the S.M.E.'s some times appear to be 
too much for a bigger player. Moreover their businesses have always been focused to 
corporate giants. So when it comes to the question of S.M.E.'s it takes a great deal of time 
for them to understand the business and design software programs based on modality. 
Even if they are able to meet the requirements the companies always demand more. 
Branded and big vendors don't even yield to the first level and the software programs 
supplied by them prove to be of little use to the company. On the other hand companies 
also find that small ERP vendors are not competent enough to match the requirements of 
the companies. So they approach the bigger companies. Finally they land up in 
understanding that no one can help them to the desired extent. 


D. Confidentiality 


Big vendors don't even offer the source code when it comes to S.M.E.'s. This has resulted 
in lots of functional errors and the very purpose of ERP has been questioned by and large. 
On the other hand when it comes to the companies they hesitate to disclose confidential 
information because they are well aware of the fact that the vendors are limited, few and 
far between in the S.M.E.'s market. This means your vendor and the company's vendor 





www..irj.iars.info Page 5 


5 i. FES * 


international Research Journal Vol. 1, No. 1, 2011 
ISSN 1839-6518 82800101201103 


could be one and the same. The apprehension of the companies look natural but it stops 
the vendor in restructuring the minutest detail in the software to match the company's 
needs for lack of adequate details. 


A total of 421 SMEs were contacted for the study. The demographic characteristics of the 
respondents were shown in Figure-2. We can find that as many as 31.7 per cent of SMEs 
were Cost Concerned, 46.9 per cent are unsure of choosing or refining their IT setups , 
70.9 per cent were or not aware of ERP and 98.6 per cent hesitate due to the vendors are 
limited or the confidentiality factors. 


SUGGESTIONS THAT CAN BE IMPLEMENTED IN S.M.E's: 


A. Structured based software programs 


The main problem faced by S.M.E.'S when it comes to ERP is that their requirement is 
limited while the product offered exceeds their specifications in all ways (including the 
costs).The gap between these two needs to be analyzed by the companies and S.M.E.'s. It 
is not possible for the vendor to bring down their standards for the sake of the company 
neither is it feasible for the later to upgrade for the sake of the former (just for the sake of 
compliance and matching the company's model and that too without any direct monetary 
benefit ). A balance should be stricken between the two. The company and the vendor 
should sit together and analyze the pros and cons of every possibility to match their 
requirements. Both of them should make compromises as and where possible. These 
adjustments even though may seem to be smaller will have greater impact when it comes 
to the structuring of software programs. 


B. Rectifying inherent defects in software programs 


Software is not given due importance in many of the small and medium enterprises. 
Software is looked upon as just another operational tool. This will not have major impact 
at the immediate outset when it comes to other operations (though the loss will be known 
at a later point of time). However the case will not be the same with ERP. 


The vendors experience great difficulty when it comes to installing ERP in such 
companies. They find themselves petrified to handle the resultant consequences because 
the companies might blame the vendor for the failure without realizing that it is due to 
their own inability/carelessness in maintaining software programs. That is why he must 
exercise care in solving ERP problems in S.M.E.'s. 


The vendor needs to carefully review the software competencies in the company. This 
study will help him to asses what the company requires more in terms of software .To 
start with the vendors must initially speak to the in-house IT personnel. They should 
convey their observations very clearly. This will help them in disseminating the 
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information all over the company and speaking to the decision making body. The senior 
management may have greater chances of accepting the vendors suggestion when it is 
supported by IN house IT personnel but with a good faith and in the interests of the 
company. The vendor should take all possible steps to remove the software deficiencies 
in the company before thinking of running the ERP application. 


C. Giving proper attention to ERP 


The vendors have an advantage when it comes to working with bigger players. They 
realize the seriousness of ERP projects not only in terms of the money invested but also 
in the context of the restructuring and the supposedly redefined functions. This feature is 
absent in Small and Medium Enterprises. 


They refuse to show importance as business process reengineering and change 
management looks like absurd to them. They underestimate the jargon and think it is too 
much keeping the size of their firm in mind. The ERP vendor needs to make them realize 
the importance in order to be successful in the project (for both of them). 


MAJOR CHALLENGES IN AUDITING ERP SYSTEMS 


ERP systems are inherently complex systems spanning many functional areas and 
processes along a firm's value chain. They are designed to provide flexible solutions to 
business problems. The sheer number of possibilities available for configuring an ERP 
system implies many potential security configurations. However, ERP systems pay little 
attention to potential conflicts and problems in those security configurations. Deployment 
and implementation of ERP systems also pay little attention to security implications, as 
the main purpose is to solve business problems within time and budget. In post 
implementation stages, auditors have access to rudimentary ERP tools and capabilities for 
auditing security configurations. There are also shortages of staff members trained in the 
ERP security. 


Unfortunately, the increased enthusiasm on this subject has been met with complex and 
costly challenges. Many companies and audit firms are not yet prepared to tackle the 
need for a rigorous ERP security audit. Major challenges in auditing ERP Security are 
given as follows: 


A. Complexity of ERP systems 


Complexity of ERP systems leads to security vulnerabilities. ERP systems must be able 
to process a wide array of business transactions and implement a complex security 
mechanism that provides granular-level access to users. For example, in SAP R/3, 
hundreds of authorization objects are used to allow access to various actions in the 
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system. A small or medium-sized organization may have 100 transactions that are 
commonly used, and each transaction typically requires at least two authorization objects. 
If the company has 200 end users who fill a total of 20 different roles and responsibilities, 
there are approximately 800,000 (100*2*20*200) ways to configure security in the ERP- 
and this scenario excludes other complexity factors, such as multiple transactions sharing 
the same authorization objects, an authorization object having up to 10 fields that can be 
assigned to various values, and the possibility of using position-based security. The point 
of this illustration is that the inherent complexity of an ERP system increases the 
complexity of security configurations and leads to potential security vulnerabilities. 
Flaws, errors and Segregation-Of-Duty (SOD) conflicts become more likely. Consider a 
scenario in which a security administrator has to grant read-only access to transaction X, 
which requires him/her to assign 10 authorization objects to the role. At a later point in 
time, management decides to grant write access to transaction Y, which implies assigning 
five more authorization objects. One of the objects is common to both transactions and 
determines the write capability. Although these two changes are seemingly independent, 
due to the shared authorization object granting write privileges, the unintended 
consequence is a potential SOD conflict. An ERP system does not automatically check 
for these kinds of security vulnerabilities. Unless the security administrator is well trained 
and employs rigorous positive and negative testing, he/she is likely to miss the 
unintended consequence of allowing write access to both transactions X and Y. As the 
number of potential configurations and authorization objects increases, it becomes 
increasingly difficult and costly to analyze the security implications of ERP 
configurations, such as the unintentional creation of SOD conflicts. 


B. Lack of ERP Tools 


ERP tools for security audit are inadequate. Most of the security tools available in ERP 
packages are not designed to facilitate efficient and effective audit of ERP security. The 
main emphasis of ERP tools is on security configuration and maintenance. Recently, 
there has been an increase in the number of third-party product offerings assisting with 
ERP security and SOD reviews. However, many users complain that those tools often 
generate false positives and create more work for auditors. 


C. Customization of ERP Systems 


The customization of ERP systems to firms inhibits the development of standardized 
security solutions. Every ERP implementation contains some level of customization 
specific to the firm undertaking the implementation. However, customization makes it 
difficult to develop a standard approach or methodology for conducting ERP security 
audits. 


D. Manpower 
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There is a shortage of manpower trained in ERP security. Most ERP training programs 
are designed for implementation efforts. They offer very little on ERP security and audit. 
Thus, there is a shortage of auditors who are trained in ERP security. 


E. Inadequate attention towards security 


Implementers pay inadequate attention to ERP security during deployment. Many 
companies do not pay adequate attention to security implications of ERP configurations 
during the deployment and implementation of ERP systems. Implementation teams are 
usually tasked with finishing the implementation projects on time and within budget. 
They do not pay adequate attention to security implications since it increases 
implementation time and budget. Due to limited emphasis on security implications, ERP 
security becomes too lax, making post implementation problem identification and 
remediation very costly. 


F. Conventional Approach 


Most ERP security audits today are performed using a manual approach. There is little 
automation beyond the use of native tools that come standard with ERP packages. 
Unfortunately, the bottleneck of the manual approach is the limitation of the native 
security reporting tools found in most ERP products. These native tools are not designed 
to facilitate a large-scale audit effort, but rather to help security administrators perform 
occasional validation of the accuracy of security configuration. They allow reporting on 
only a single transaction per query, which may be adequate for a security administrator 
who works full time and handles each transaction request individually; however, it is not 
as practical for an IT auditor who is expected to perform the audit in a limited period of 
time and must test a large number of transactions. Although some IT auditors are able to 
utilize technology to perform this process more efficiently than others, as long as the 
process is based on the same philosophy of manual extraction followed by analysis, it 
continues to be an incredibly tedious and time-consuming task. The manual method is 
also prone to human errors. 


The Figure 3 indicates the factors influencing the major challenges in auditing ERP 
system in SME’s are serious. 


CONCLUSION & SCOPE OF FUTURE WORK 


e S.M.E.'s market still continues to be a "bed of opportunities" for ERP Vendor in 
spite of the above mentioned drawbacks. Equally promising is the demand for 
ERP from Small and Medium enterprises. Some proposal should be put forward 
for the welfare of both parties to counter the problem of ERP in S.M.E.'s. 
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e S.M.E.'s are becoming the popular choice of ERP vendors. There is an increasing 
awareness of ERP in S.M.E. market. It has practically helped to unravel the myth 
that ERP is exclusively meant to business empires. ERP and S.M.E have become 
important part of enterprise studies. 

e Unless the ERP vendor and the company sits together to resolve the conflicts it is 
not going to be beneficial to either of them. The onus of initiating lies with the 
vendor when it comes to ERP problems in small and medium enterprises. Since 
he has the required expertise he needs to take the lead in convincing the company 
and be sure of Solving ERP problems in S.M.E.'s. 

e ERP is recognized as an effective tool which supports most of the business 
systems that maintain the data needed for a variety of business functions such as 
Manufacturing, Supply Chain Management, Financials, Projects, Human 
Resources and Customer Relationship Management in a single database. On the 
other hand, auditing of ERP security is also a demanding area which requires 
proper attention. Though many steps have already been taken by various 
researchers world wide, but for smooth and efficient functioning of business tasks 
in a better manner, there is still a need of many more initiatives to be taken in this 
direction. 


Figures and Tables 
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Figure 1: Type of Business and Location 
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Figure 3: Major Challenges in Auditing ERP Systems 
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